Firewalling

Restricting access to pfSense

patient0 — Sun, 17 May 2026 07:56:35 GMT

@hack3rcon said in Restricting access to pfSense: Problem solved. Very good, and I didn't see it but you are right. The rules are 'quick' rules, meaning the first one that matches will be executed and no further rules checked. In the first screenshot the block rules come first and therefore the 'Trust' rules were never reached.

OIDC auth for public facing access?

Dave R2 — Sat, 16 May 2026 12:02:30 GMT

I'm trying to figure out how to better protect my public facing services. IMHO, If it's not obvious, the LLM assisted exploits are only going to improve. Finding 0-days seems to be a weekly thing now and it's just the beginning.

I think it'd be cool to have pfsense redirect a (incoming) user to /auth endpoint somewhere before accessing any of my services. The user has to login to whatever IDP and then get redirected back to /auth with a jwt or something that the backend app could use to determine if the login succeeded. If so, then some authz check with user@gmail.com that you want to allow. If all good, drop the user IP into a pfsense allow list for 12 hours or something.

Ya I could just wireguard/tailscale everyone, but I run Nextcloud and share files with people sometimes. WG will never fly for one-off file shares. A redirect could be automated where the user installs nothing.

Other options is just move all my public stuff to cloud providers but that just adds up to cash I don't have laying around to burn.

I'm probably trying to reinvent the wheel. Anyone know if something like this already exists?

Resolved

kwessel — Fri, 15 May 2026 10:43:42 GMT

I am trying to open port 1194 and 1195 on a pfsense router. My ISP (ATT) uses a BWG320 gateway. I have static IP address and have the BWG320 set to passthrough my static ISP to my pfsense router. The correct IP address appears on the pfsense dashboard. I have Packet Filters disabled on the BWG320.

I have the following rules set up on the WAN tab in pfsense:

I also have this rule set up on the OpenVPN tab:

When I test for open ports with https://dnschecker.org/port-scanner.php
both ports 1194 and 1195 time out.

While trying different things, I created a copy of a port forwarding rule use for port 3389. I forgot to change the redirect target IP and the redirect target port. As a result the rule looks like this:

When this port forwarding rule is enabled, https://dnschecker.org/port-scanner.php shows that port 1195 is open. That leads me to believe 1195 is able to pass through the BWG320.

Thoughts and suggestions as to how to get these ports open and working with OpenVPN will be appreciated.

"This Firewall (source)" Alias

Bob.Dig — Sun, 10 May 2026 15:49:38 GMT

I got it on first read. But I don't think that interface-groups work like that. Most things you have to manage separate.

Foreign source IPs from LAN from mobile device

tinfoilmatt — Thu, 07 May 2026 23:16:31 GMT

Shouldn't it send the request to or through the 75 address That's exactly what it's trying to do—and exactly the traffic that pfSense is blocking on its LAN interface, which is what pfSense should be doing since presumably you haven't explicitly allowed this traffic to egress pfSense's LAN interface. These 10.16.14.157/10.254.4.79- and 25.211.140.233/25.215.186.12-sourced packets should not be egressing the device's Wi-Fi interface (unless they're encapsulated in an already-established tunnel outbound 'through' pfSense).

"This Firewall (networks)" Alias

Bob.Dig — Tue, 28 Apr 2026 08:29:30 GMT

I probably would use it for blocking, even if WANs are included. I will put an allow WAN-Subnet before it, if needed ...

alias natting not working since upgrade

jsbsmd — Mon, 27 Apr 2026 13:35:03 GMT

@SteveITS (SOLVED) Thank you for the information. if I "killall filterdns" and then Status>Filter Reload, the table is immediately updated.

pfBlockerNG - IPv4 Suppression - alias list failure

tinfoilmatt — Sun, 26 Apr 2026 10:43:21 GMT

You're doing something incorrectly. Can you screencap what you mean by: I have enabled IPv4 Suppression within pfBlockerNG and set an IP address with /32

P2P openvpn NAT and firewall rules

jonna99 — Fri, 24 Apr 2026 06:24:03 GMT

Hi!
I need help configuring firewall rules for openvpn, peer to peer, tls.

Prerequisite:

P2P already established between my two Pfsense firewalls.
Have access to all necessary networks and clients in both directions without problems.

My problem:

I want to force one (1), only one, of the clients on the remote side to only use the server side's public IP address for internet access and not "surf" out to the remote side's public IP.

I have searched for solutions on the internet but have not found any solution unfortunately.

So if anyone has a good idea and maybe a guide I would be grateful.

Thanks
Jonna

pfblocker is blocking my own PFsense web interface from clients on my network

johnpoz — Sun, 19 Apr 2026 11:41:26 GMT

@Gertjan yeah I don't run dnsbl service, I just use pfblocker for alias creation that I use in my own rules. Just wanted to explain what he was seeing with this ps command, it didn't find anything via his grep

Firewall Rules

johnpoz — Sun, 19 Apr 2026 09:47:55 GMT

@Jarhead said in Firewall Rules: Of course it will. Anything not allowed will be blocked by it. No it won't since right above it you have a reject all IPv4.. How would something that is ipv4 get by the reject rule?

DigitalOcean block (2604:a880:400:d1::/48) today. ~100+ hits

Gertjan — Mon, 13 Apr 2026 03:08:54 GMT

@JonathanLee For myself, I've just one open port on my WAN (both IPv4 and IPv6) : "1194 UDP" also known as OpenVPN. RDP, SSH, MySQL etc etc etc etc are all on the 'never ever expose these on the Internet' list. Don't worry about IPv6 scans. It's like looking for and counting stars in the galaxy, looking for planets and live on it ^^

High Fraud Score (89/100) and False Positives via HE IPv6 Tunnel

JonathanLee — Sun, 12 Apr 2026 20:34:41 GMT

I emailed them and just explained I am a student and that I had a misconfigured and they fixed my score it was because of a proxy setting.

Please assist me with settings

netpt — Fri, 10 Apr 2026 15:54:48 GMT

If I’m not mistaken, the issue you’re facing is not caused by your configuration but by a limitation in the Asus router firmware. Even with NAT disabled, firewall disabled, and correct static routes, an Asus router operating in Router Mode does not allow routing from the WAN interface toward the LAN network. The WAN interface always treats the upstream device (pfSense in your case) as “Internet”, which means it blocks any attempt to reach LAN clients in the 192.168.50.0/24 subnet. This is why you can ping the Asus WAN IP from pfSense, but you cannot reach any clients behind it. If you need full communication from pfSense to the devices behind the Asus, the only supported solution is to run the Asus in Access Point Mode, so it becomes part of the same LAN (192.168.10.0/24). For the use case you described (Portainer, Docker, InfluxDB, Grafana), a separate subnet is not required. In AP Mode all services will be directly reachable, and pfSense’s Telegraf can send metrics to InfluxDB without any routing or NAT-related issues.

Firewall rules for selective failover

richardsago — Tue, 07 Apr 2026 08:49:56 GMT

Thank you @SteveITS for the reply. Yes this is for the VLAN20 interface. DNS is working for its devices when the first rule's gateway was "failover" and also when this is now set to asterisk. I have finished setting the first rule of all VLANs from gateway "failover" to asterisk and everything is working. Thank you for this clarification.

Swapping of connection states on inbound interface in diagnostics

blubber7196 — Sun, 05 Apr 2026 15:24:36 GMT

When I try to connect from one VLAN, let's call it the Users VLAN, to a switch that doesn't respond in the Management VLAN, I see two states:

The state bound to the Users interface shows my user IP -> switch IP:443 and the state: CLOSED:SYN_SENT
The state bound to the Management interface shows the same user IP -> switch IP:443 but the state: SYN_SENT:CLOSED.

Interface	Protocol	Source → Destination	State	Packets
USERS	tcp	192.168.10.2:58319 → 192.168.99.2:443	CLOSED:SYN_SENT	3 / 0
MANAGEMENT	tcp	192.168.10.2:58319 → 192.168.99.2:443	SYN_SENT:CLOSED	3 / 0

According to pfSense documentation, the left side of the state shows the source side, while the right side shows the destination side.

In the state of the interface through which the packet enters the firewall (PF_IN), the source and destination are swapped: CLOSED:SYN_SENT. The code responsible for the swapping can be seen here: https://github.com/freebsd/freebsd-src/blob/3f79bc9ca336f634e1afa262ccf5155882550a8a/sbin/pfctl/pf_print_state.c#L247

What I don't understand is why did pfSense decide to swap the source and destination when the packet direction is PF_IN (incoming). This is really confusing to me as I expect the left side to show the user sending a SYN packet, but the Users interface state is showing it on the right as if it were the switch that sent the SYN packet.

The question is: why does pfSense decide to swap source and destination states in the inbound interface state (in this case Users interface): CLOSED:SYN_SENT ?

Thank you in advance.

Cannot access some switches anymore?

Urbaman75 — Tue, 31 Mar 2026 23:11:22 GMT

@SteveITS that's right. The two switches not being accessed are L2/L3 and lost the internal VLAN routing. I re-enabled it by accessing from VLAN1 and re-adding an IP on both Switches' VLAN10 interface: both got accessed again from VLAN10 devices. Now I'll properly go (hopefully) through ACL settings to limit access to some devices only. Thank you very much for pointing me in the right direction.

Unknown block “to any no-df max-mss 1400 fragment reassemble”

deleted — Tue, 31 Mar 2026 09:47:11 GMT

Sorry for the delay. An update to Sense “fixed” the problem—but I suspect the issue was caused by the client rather than Sense.

debugging aliases

ageis — Fri, 27 Mar 2026 10:41:05 GMT

@johnpoz thanks. I should of google it first. i found the answer on an old thread. For the benefit of somonelse and possibly me, i will say look in the table of diagnostics and there will be an entry named after your alias. I only had two fqdn entries . i dont know what happened. it just started working after i deleted it then recreated it. Maybe it got corrupted somehow. i didnt know about diagnostics then so I didnt have a look

using domain name in rules

Gertjan — Wed, 25 Mar 2026 00:00:04 GMT

@johnpoz said in using domain name in rules: since are you not in the EU? Afaik, France, where I am, is still part of the EU

Best Suricata version for IDS + AI Anomaly Detection on RPi (16GB RAM)

johnpoz — Mon, 23 Mar 2026 21:44:48 GMT

@bmeeks said in Best Suricata version for IDS + AI Anomaly Detection on RPi (16GB RAM): Not good to run a mail server on your firewall. Oh shit - it's not, damn now I have to redo a bunch of stuff.. Just a joke - hehehe

Bug when deleting nested Aliasses

SteveITS — Fri, 20 Mar 2026 08:03:41 GMT

duplicate of https://redmine.pfsense.org/issues/16750

Log entry with no port number - Can't create quick rule.

pfSense-Rocks — Mon, 16 Mar 2026 20:06:35 GMT

Hello,

I noticed a blocked connection (no port displayed/logged) from a remote file server that I fetch backups from via an outgoing rsync connection to the remote server over a wireguard VPN on port 873.

(The wireguard tunnel is 10.80.0.0/24, the remote site net is 192.168.0.0/24 and my net is 192.168.42.0/24. The outgoing connection goes out from my NAS, through my pfSense to the remote pfSense box, then onto the remote LAN to their NAS. Each connection is made between 192.168.42.0/24 and 192.168.0.0/24 as the VPN endpoint IPs point to the pfSense boxen. Each pfSense box has a route to the remote site and I only allow 873 through.)

The backup works fine, but I am seeing a denied connection without a port number. Simply identified as 'TCP:' from a private ip (no port) to a private IP (no port).

If I add an easy Rule...

It errors out with 'No port number' but I can't add one - not that I know what port to add.

I haven't noticed TCP traffic without port numbers before.

Any info on what may be causing this?

Thank you.

No internet access from DMZ

ashwiz — Mon, 16 Mar 2026 05:05:09 GMT

Re: No internet access from DMZ(OPT1)

I know is a few threads like this on the forum, putting my experience in case helps someone else.

I added a new Nic in the box, added interface, set up DMZ. No internet access from DMZ. Devices inside the DMZ got IP's from the DHCP, can ping each other, but can't ping FW, can't ping out, no internet access.

I took another box. Moved Nics over. Fresh install of PF, Restore the same config. Correctly assigned the interfaces. Now on the new box even the LAN can't ping FW and LAN has no internet access. DMZ same, can't ping FW and no internet.

Realized must be something like an underlying config is interfering. Started removing all sorts of config and testing.

Found I had a QOS, Traffic Shaper, for the voip. Deleted this. Instantly everything worked perfect, all fixed.

If adding a DMZ (or second LAN), might need to remove any Traffic Shaper, then add back after.

All the Best ;-)

bug when editing firewall rule

dave.opc — Sat, 14 Mar 2026 06:17:28 GMT

pfsense+ 25.07.1 / CE 2.8.1

when i edit a firewall rule with gateway defined

it opens the rule with gateway default

and if you don't pay attention to this (changing something else) and save the rule - the rule is saved with default gateway.